STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← SC-23 (5) — Session Authenticity

CCI-002470

Definition

Only allow the use of organization-defined certificate authorities for verification of the establishment of protected sessions.

Parent Control

SC-23 (5)Session AuthenticitySystem and Communications Protection

Linked STIG Checks (147)

V-237048CAT IIThe A10 Networks ADC being used for TLS encryption and decryption using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certificate Authorities (CAs) for the establishment of protected sessions.A10 Networks ADC ALG Security Technical Implementation Guide V-213126CAT IIIAdobe Acrobat Pro DC Continuous periodic downloading of Adobe European certificates must be disabled.Adobe Acrobat Professional DC Continuous Track Security Technical Implementation Guide V-213138CAT IIIAdobe Acrobat Pro DC Continuous Periodic downloading of Adobe certificates must be disabled.Adobe Acrobat Professional DC Continuous Track Security Technical Implementation Guide V-213190CAT IIIAdobe Reader DC must disable periodical uploading of European certificates.Adobe Acrobat Reader DC Continuous Track Security Technical Implementation Guide V-213191CAT IIIAdobe Reader DC must disable periodical uploading of Adobe certificates.Adobe Acrobat Reader DC Continuous Track Security Technical Implementation Guide V-279063CAT IIColdFusion must be configured to use only DOD-approved keystores and truststores containing certificates issued by a DOD Public Key Infrastructure (PKI) Certificate Authority (CA), and all keystore and truststore files must be protected by file system permissions that prevent unauthorized access or modification.Adobe ColdFusion Security Technical Implementation Guide V-76433CAT IKona Site Defender providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.Akamai KSD Service Impact Level 2 ALG Security Technical Implementation Guide V-274063CAT IIAmazon Linux 2023, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Amazon Linux 2023 Security Technical Implementation Guide V-268124CAT IINixOS, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.Anduril NixOS Security Technical Implementation Guide V-214230CAT IIThe Apache web server must use cryptography to protect the integrity of remote sessions.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214300CAT IIThe Apache web server must only accept client certificates issued by DOD PKI or DoD-approved PKI Certification Authorities (CAs).Apache Server 2.4 UNIX Site Security Technical Implementation Guide V-214328CAT IIThe Apache web server must only accept client DOD-approved and RFC 5280-compliant certificates.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-222994CAT IICertificates in the trust store must be issued/signed by an approved CA.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-252477CAT IIThe macOS system must accept and verify Personal Identity Verification (PIV) credentials, implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, and only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257183CAT IIThe macOS system must accept and verify Personal Identity Verification (PIV) credentials, implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, and only allow the use of DOD PKI-established certificate authorities for verification of the establishment of protected sessions.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-259536CAT IIThe macOS system must issue or obtain public key certificates from an approved service provider.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-268471CAT IIThe macOS system must set smart card certificate trust to moderate.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268534CAT IIThe macOS system must issue or obtain public key certificates from an approved service provider.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277078CAT IIThe macOS system must set smart card certificate trust to moderate.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277143CAT IIThe macOS system must issue or obtain public key certificates from an approved service provider.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-205003CAT IIThe ALG providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.Application Layer Gateway Security Requirements Guide V-222584CAT IIThe application must only allow the use of DoD-approved certificate authorities for verification of the establishment of protected sessions.Application Security and Development Security Technical Implementation Guide V-204811CAT IIThe application server must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.Application Server Security Requirements Guide V-237339CAT IThe ArcGIS Server keystores must only contain certificates of PKI established certificate authorities for verification of protected sessions.ArcGIS for Server 10.3 Security Technical Implementation Guide V-272639CAT IICylanceON-PREM must be configured with a DOD issued certificate (or another authorizing official [AO]-approved certificate).Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-256848CAT IICompliance Guardian must only allow the use of DOD PKI established certificate authorities for verification of the establishment of protected sessions.AvePoint Compliance Guardian Security Technical Implementation Guide V-253518CAT IIDocAve must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.AvePoint DocAve 6 Security Technical Implementation Guide V-276012CAT IAx-OS must have no local accounts for the user interface.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-79025CAT IIThe BlackBerry Enterprise Mobility Server (BEMS) must be configured to use DoD certificates for SSL.BlackBerry Enterprise Mobility Server 2.x Security Technical Implementation Guide V-254717CAT IIThe BlackBerry Enterprise Mobility Server (BEMS) must be configured to use DOD certificates for SSL.BlackBerry Enterprise Mobility Server 3.x Security Technical Implementation Guide V-237398CAT IIThe CA API Gateway providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.CA API Gateway ALG Security Technical Implementation Guide V-219321CAT IIThe Ubuntu operating system must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238364CAT IIThe Ubuntu operating system must use DoD PKI-established certificate authorities for verification of the establishment of protected sessions.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260580CAT IIUbuntu 22.04 LTS must use DOD PKI-established certificate authorities for verification of the establishment of protected sessions.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270745CAT IIUbuntu 24.04 LTS must use DOD PKI-established certificate authorities (CAs) for verification of the establishment of protected sessions.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-221927CAT IIThe Central Log Server must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.Central Log Server Security Requirements Guide V-234260CAT ICitrix Linux Virtual Delivery Agent must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.Citrix Virtual Apps and Desktop 7.x Linux Virtual Delivery Agent Security Technical Implementation Guide V-213208CAT ICitrix Receiver must implement DoD-approved encryption.Citrix XenDesktop 7.x Receiver Security Technical Implementation Guide V-269427CAT IIAlmaLinux OS 9 must only allow the use of DOD PKI-established certificate authorities for authentication in the establishment of protected sessions to the operating system.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233603CAT IIPostgreSQL must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.Crunchy Data PostgreSQL Security Technical Implementation Guide V-261929CAT IIPostgreSQL must only accept end entity certificates issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.Crunchy Data Postgres 16 Security Technical Implementation Guide V-206603CAT IIThe DBMS must only accept end entity certificates issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.Database Security Requirements Guide V-235841CAT IIUniversal Control Plane (UCP) must be integrated with a trusted certificate authority (CA) in Docker Enterprise.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-235842CAT IIDocker Trusted Registry (DTR) must be integrated with a trusted certificate authority (CA) in Docker Enterprise.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-205213CAT IIIf the DNS server is using SIG(0), the DNS server implementation must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected transactions.Domain Name System (DNS) Security Requirements Guide V-271049CAT IIThe Dragos Platform must only allow the use of DOD PKI established certificate authorities for verification of the establishment of protected sessions.Dragos Platform 2.x Security Technical Implementation Guide V-224205CAT IIThe EDB Postgres Advanced Server must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide V-213630CAT IIThe EDB Postgres Advanced Server must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide V-260031CAT IIThe Enterprise Voice, Video, and Messaging Session Manager must only allow the use of DOD-approved PKI certificate authorities when using PKI.Enterprise Voice, Video, and Messaging Session Management Security Requirements Guide V-259289CAT IIThe EDB Postgres Advanced Server must only accept end entity certificates issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide V-260054CAT IIIThe F5 BIG-IP appliance APM Access Policies that grant access to web application resources must allow only client certificates that have the User Persona Name (UPN) value in the User Persona Client Certificates.F5 BIG-IP Access Policy Manager Security Technical Implementation Guide V-215789CAT IIThe F5 BIG-IP appliance providing user authentication intermediary services must only accept end entity certificates issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.F5 BIG-IP Local Traffic Manager Security Technical Implementation Guide V-266139CAT IThe F5 BIG-IP appliance providing intermediary services for remote access must use FIPS-validated cryptographic algorithms, including TLS 1.2 at a minimum.F5 BIG-IP TMOS ALG Security Technical Implementation Guide V-278403CAT IINGINX must only allow using DOD approved certificate authorities for PKI.F5 NGINX Security Technical Implementation Guide V-203744CAT IIThe operating system must only allow the use of DoD PKI-established certificate authorities for authentication in the establishment of protected sessions to the operating system.General Purpose Operating System Security Requirements Guide V-255287CAT IIThe HPE 3PAR OS must be configured to only allow the use of DOD PKI-established certificate authorities for authentication in the establishment of protected sessions to the operating system.HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide V-255289CAT IIThe HPE 3PAR OS syslog-sec-client must be configured to perform mutual TLS authentication using a CA-signed client certificate.HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide V-255293CAT IIThe HPE 3PAR OS must be configured to only use DOD PKI established certificate authorities for authentication in the establishment of protected sessions to the operating system with an External Key Manager.HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide V-255297CAT IIThe HPE 3PAR OS must be configured to perform mutual TLS authentication using a CA-signed client certificate when communicating with an External Key Manager.HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide V-255299CAT IIThe HPE 3PAR OS must be configured to only use DOD PKI established certificate authorities for authentication in the establishment of protected sessions to the operating system with a centralized account management server.HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide V-215215CAT IIAIX must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.IBM AIX 7.x Security Technical Implementation Guide V-213728CAT IIDB2 must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.IBM DB2 V10.5 LUW Security Technical Implementation Guide V-65269CAT IIThe DataPower Gateway providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.IBM DataPower ALG Security Technical Implementation Guide V-255791CAT IIThe MQ Appliance messaging server must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected (messaging) sessions.IBM MQ Appliance V9.0 AS Security Technical Implementation Guide V-250338CAT IIThe WebSphere Liberty Server must use DoD-issued/signed certificates.IBM WebSphere Liberty Server Security Technical Implementation Guide V-255880CAT IIThe WebSphere Application Server personal certificates in all keystores must be issued by an approved DoD CA.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-223421CAT IIAll IBM z/OS digital certificates in use must have a valid path to a trusted Certification authority.IBM z/OS ACF2 Security Technical Implementation Guide V-223648CAT IIAll digital certificates in use must have a valid path to a trusted certification authority (CA).IBM z/OS RACF Security Technical Implementation Guide V-223871CAT IIAll IBM z/OS digital certificates in use must have a valid path to a trusted Certification Authority (CA).IBM z/OS TSS Security Technical Implementation Guide V-224771CAT IIThe ISEC7 SPHERE must allow the use of DOD PKI established certificate authorities for verification of the establishment of protected sessions.ISEC7 Sphere Security Technical Implementation Guide V-251417CAT IIThe Ivanti EPMM server must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.Ivanti EPMM Server Security Technical Implementation Guide V-251417CAT IIThe Ivanti MobileIron Core server must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.Ivanti MobileIron Core MDM Server Security Technical Implementation Guide V-251032CAT IIThe Sentry providing mobile device authentication intermediary services using PKI-based mobile device authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.Ivanti MobileIron Sentry 9.x ALG Security Technical Implementation Guide V-251032CAT IIThe Sentry providing mobile device authentication intermediary services using PKI-based mobile device authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.Ivanti Sentry 9.x ALG Security Technical Implementation Guide V-213545CAT IIJBoss must be configured to use DoD PKI-established certificate authorities for verification of the establishment of protected sessions.JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide V-66673CAT IIThe Juniper SRX Services Gateway VPN must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.Juniper SRX SG VPN Security Technical Implementation Guide V-214693CAT IIThe Juniper SRX Services Gateway VPN must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.Juniper SRX Services Gateway VPN Security Technical Implementation Guide V-253738CAT IIMariaDB must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.MariaDB Enterprise 10.x Security Technical Implementation Guide V-220386CAT IIMarkLogic Server must only accept end-entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.MarkLogic Server v9 Security Technical Implementation Guide V-218749CAT IIA private IIS 10.0 website authentication mechanism must use client certificates to transmit session identifier to assure integrity.Microsoft IIS 10.0 Site Security Technical Implementation Guide V-218767CAT IIThe IIS 10.0 website must only accept client certificates issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs).Microsoft IIS 10.0 Site Security Technical Implementation Guide V-220903CAT IIThe DoD Root CA certificates must be installed in the Trusted Root Store.Microsoft Windows 10 Security Technical Implementation Guide V-220905CAT IIThe DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.Microsoft Windows 10 Security Technical Implementation Guide V-220906CAT IIThe US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.Microsoft Windows 10 Security Technical Implementation Guide V-253429CAT IIThe DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.Microsoft Windows 11 Security Technical Implementation Guide V-253430CAT IIThe US DOD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.Microsoft Windows 11 Security Technical Implementation Guide V-215629CAT IIThe Windows 2012 DNS Server must only allow the use of an approved DoD PKI-established certificate authorities for verification of the establishment of protected transactions.Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide V-225021CAT IIThe DoD Root CA certificates must be installed in the Trusted Root Store.Microsoft Windows Server 2016 Security Technical Implementation Guide V-225023CAT IIThe US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.Microsoft Windows Server 2016 Security Technical Implementation Guide V-205648CAT IIWindows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205649CAT IIWindows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205650CAT IIWindows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254442CAT IIWindows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254443CAT IIWindows Server 2022 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254444CAT IIWindows Server 2022 must have the US DOD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems.Microsoft Windows Server 2022 Security Technical Implementation Guide V-278192CAT IIWindows Server 2025 must have the DOD Root Certificate Authority (CA) certificates installed in the Trusted Root Store.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278193CAT IIWindows Server 2025 must have the DOD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278194CAT IIWindows Server 2025 must have the US DOD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems.Microsoft Windows Server 2025 Security Technical Implementation Guide V-259392CAT IIThe Windows DNS Server must use an approved DOD PKI certificate authority.Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide V-221195CAT IIMongoDB must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide V-252178CAT IIMongoDB must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.MongoDB Enterprise Advanced 4.x Security Technical Implementation Guide V-265946CAT IIMongoDB must only accept end entity certificates issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.MongoDB Enterprise Advanced 7.x Security Technical Implementation Guide V-279386CAT IIMongoDB must only accept end entity certificates issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide V-254114CAT INutanix AOS must use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.Nutanix AOS 5.20.x Application Security Technical Implementation Guide V-279445CAT IINutanix AOS must be configured to use DOD PKI-issued certificates.Nutanix Acropolis Application Server Security Technical Implementation Guide V-273207CAT IIOkta must be configured to use only DOD-approved certificate authorities.Okta Identity as a Service (IDaaS) Security Technical Implementation Guide V-221513CAT IIOHS must have the LoadModule ossl_module directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221514CAT IIOHS must have the SSLFIPS directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221515CAT IIOHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221516CAT IIOHS must have the SSLCipherSuite directive enabled so SSL requests can be processed with client certificates only issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221517CAT IIOHS must have the SSLVerifyClient directive enabled to only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221518CAT IIOHS must use wallets that have only DoD certificate authorities defined.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-271901CAT IIOL 9 must only allow the use of DOD PKI-established certificate authorities for authentication in the establishment of protected sessions to OL 9.Oracle Linux 9 Security Technical Implementation Guide V-235191CAT IIThe MySQL Database Server 8.0 must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.Oracle MySQL 8.0 Security Technical Implementation Guide V-228859CAT IIThe Palo Alto Networks security platform being used for TLS/SSL decryption using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certificate Authorities (CAs) for the establishment of protected sessions.Palo Alto Networks ALG Security Technical Implementation Guide V-214137CAT IIPostgreSQL must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.PostgreSQL 9.x Security Technical Implementation Guide V-251239CAT IIRedis Enterprise DBMS must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.Redis Enterprise 6.x Security Technical Implementation Guide V-254093CAT IInnoslate must use multifactor authentication for network access to privileged and non-privileged accounts.SPEC Innovations Innoslate 4.x Security Technical Implementation Guide V-221932CAT IISplunk Enterprise must only allow the use of DOD-approved certificate authorities for cryptographic functions.Splunk Enterprise 7.x for Windows Security Technical Implementation Guide V-251690CAT IISplunk Enterprise must only allow the use of DOD-approved certificate authorities for cryptographic functions.Splunk Enterprise 8.x for Linux Security Technical Implementation Guide V-279167CAT IIThe Edge SWG must implement multifactor authentication for remote access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.Symantec Edge SWG ALG Security Technical Implementation Guide V-94313CAT IIIf reverse proxy is used for validating and restricting certs from external entities, and this function is required by the SSP, Symantec ProxySG providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions.Symantec ProxySG ALG Security Technical Implementation Guide V-241045CAT IIThe Tanium Server certificate must be signed by a DoD Certificate Authority.Tanium 7.0 Security Technical Implementation Guide V-234106CAT IIThe Tanium Server certificate must be signed by a DoD Certificate Authority.Tanium 7.3 Security Technical Implementation Guide V-254947CAT IIThe Tanium Server certificate must be signed by a DOD Certificate Authority.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-253860CAT IIThe Tanium Server certificate must be signed by a DoD certificate authority (CA).Tanium 7.x Security Technical Implementation Guide V-241166CAT IITrend Deep Security must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.Trend Micro Deep Security 9.x Security Technical Implementation Guide V-234243CAT IIThe UEM Agent must only accept policies and policy updates that are digitally signed by a certificate that has been authorized for policy updates by the UEM Server.Unified Endpoint Management Agent Security Requirements Guide V-234244CAT IIThe UEM Agent must perform the following functions: Import the certificates to be used for authentication of UEM Agent communications.Unified Endpoint Management Agent Security Requirements Guide V-234573CAT IIThe UEM server must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.Unified Endpoint Management Server Security Requirements Guide V-234574CAT IIThe UEM server must be configured to use X.509v3 certificates for code signing for system software updates.Unified Endpoint Management Server Security Requirements Guide V-234575CAT IIThe UEM server must be configured to use X.509v3 certificates for code signing for integrity verification.Unified Endpoint Management Server Security Requirements Guide V-256892CAT IThe UEM server must provide digitally signed policies and policy updates to the UEM agent.Unified Endpoint Management Server Security Requirements Guide V-264368CAT IThe UEM server must sign policies and policy updates using a private key associated with [selection: an X509 certificate, a public key provisioned to the agent trusted by the agent] for policy verification.Unified Endpoint Management Server Security Requirements Guide V-264369CAT IThe UEM server, for each unique policy managed, must validate the policy is appropriate for an agent using [selection: a private key associated with an X509 certificate representing the agent, a token issued by the agent] associated with a policy signing key uniquely associated with the policy.Unified Endpoint Management Server Security Requirements Guide V-239849CAT IIThe application server must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.VMware Automation 7.x Application Security Technical Implementation Guide V-246897CAT IIThe Horizon Connection Server must be configured with a DoD-issued TLS certificate.VMware Horizon 7.13 Connection Server Security Technical Implementation Guide V-239843CAT IIThe vRealize Operations server must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.VMware vRealize Operations Manager 6.x Application Security Technical Implementation Guide V-256342CAT IIThe vCenter Server Machine Secure Sockets Layer (SSL) certificate must be issued by a DOD certificate authority.VMware vSphere 7.0 vCenter Security Technical Implementation Guide V-258928CAT IIThe vCenter Server Machine Secure Sockets Layer (SSL) certificate must be issued by a DOD certificate authority.VMware vSphere 8.0 vCenter Security Technical Implementation Guide V-207493CAT IIThe VMM must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.Virtual Machine Manager Security Requirements Guide V-264334CAT IIThe VPN Gateway providing authentication intermediary services must only accept end entity certificates (user or machine) issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs) for the establishment of VPN sessions.Virtual Private Network (VPN) Security Requirements Guide V-206430CAT IIThe web server must only accept client certificates (user and machine) issued by DOD PKI or DOD-approved PKI Certificate Authorities (CAs).Web Server Security Requirements Guide V-269584CAT IIXylok Security Suite must only allow the use of DOD Public Key Infrastructure (PKI) established certificate authorities (CAs) for verification of the establishment of protected sessions.Xylok Security Suite 20.x Security Technical Implementation Guide V-224355CAT IIWebSphere MQ channel security is not implemented in accordance with security requirements.zOS WebSphere MQ for ACF2 Security Technical Implementation Guide V-224552CAT IIWebSphere MQ channel security is not implemented in accordance with security requirements.zOS WebSphere MQ for RACF Security Technical Implementation Guide V-225624CAT IIWebSphere MQ channel security is not implemented in accordance with security requirements.zOS WebSphere MQ for TSS Security Technical Implementation Guide